On this page, you can configure certain aspects of the validation of S/MIME certificates.
For the most part, this is simply a more user-friendly
version of the same settings you also find in
the section called “Configuring the GnuPG System”. Everything you
can configure here, you can configure there, too, with the
Check certificate validity every
which is Kleopatra-specific.
The meaning of the options is as follows:
- Validate certificates using CRLs
If this option is selected, S/MIME certificates are validated using Certificate Revocation Lists (CRLs).
See Validate certificates online (OCSP) for alternative method of certificate validity checking.
- Validate certificates online (OCSP)
If this option is selected, S/MIME certificates are validated online using the Online Certificates Status Protocol (OCSP).
When choosing this method, a request is sent to the server of the CA more or less each time you send or receive a cryptographic message, thus theoretically allowing the certificate issuing agency to track whom you exchange (e.g.) mails with.
To use this method, you need to enter the URL of the OCSP responder into OCSP responder URL.
See Validate certificates online (OCSP) for a more traditional method of certificate validity checking that does not leak information about whom you exchange messages with.
- OCSP responder URL
Enter here the address of the server for online validation of certificates (OCSP responder). The URL usually starts with
- OCSP responder signature
Choose here the certificate with which the OCSP server signs its replies.
- Ignore service URL of certificates
Each S/MIME certificate usually contains the URL of its issuer's OCSP responder ( → will reveal whether a given certificate contains it).
Checking this option makes GpgSM ignore those URLs and only use the one configured above.
Use this to e.g. enforce use of a company-wide OCSP proxy.
- Do not check certificate policies
By default, GpgSM uses the file
~/.gnupg/policies.txtto check if a certificate policy is allowed. If this option is selected, policies are not checked.
- Never consult a CRL
If this option is checked, Certificate Revocation Lists are never used to validate S/MIME certificates.
- Allow to mark root certificates as trusted
If this option is checked while a root CA certificate is being imported, you will be asked to confirm its fingerprint and to state whether or not you consider this root certificate to be trusted.
A root certificate needs to be trusted before the certificates it certified become trusted, but lightly allowing trusted root certificates into your certificate store will undermine the security of the system.
Enabling this functionality in the backend can lead to popups from PinEntry at inopportune times (e.g. when verifying signatures), and can thus block unattended email processing. For that reason, and because it is desirable to be able to distrust a trusted root certificate again, Kleopatra allows manual setting of trust using → and → .
This setting here does not influence the Kleopatra function.
- Fetch missing issuer certificates
If this option is checked, missing issuer certificates are fetched when necessary (this applies to both validation methods, CRLs and OCSP).
- Do not perform any HTTP requests
Entirely disables the use of HTTP for S/MIME.
- Ignore HTTP CRL distribution point of certificates
When looking for the location of a CRL, the to-be-tested certificate usually contains what are known as “CRL Distribution Point” (DP) entries, which are URLs describing the way to access the CRL. The first-found DP entry is used.
With this option, all entries using the HTTP scheme are ignored when looking for a suitable DP.
- Use system HTTP proxy
If this option is selected, the value of the HTTP proxy shown on the right (which comes from the environment variable
http_proxy) will be used for any HTTP request.
- Use this proxy for HTTP requests
If no system proxy is set, or you need to use a different proxy for GpgSM, you can enter its location here.
It will be used for all HTTP requests relating to S/MIME.
The syntax is
- Do not perform any LDAP requests
Entirely disables the use of LDAP for S/MIME.
- Ignore LDAP CRL distribution point of certificates
When looking for the location of a CRL, the to-be-tested certificate usually contains what are known as "CRL Distribution Point" (DP) entries, which are URLs describing the way to access the CRL. The first found DP entry is used.
With this option, all entries using the LDAP scheme are ignored when looking for a suitable DP.
- Primary host for LDAP requests
Entering an LDAP server here will make all LDAP requests go to that server first. More precisely, this setting overrides any specified
portpart in an LDAP URL and will also be used if
porthave been omitted from the URL.
Other LDAP servers will be used only if the connection to the “proxy” failed. The syntax is
portis omitted, port 389 (standard LDAP port) is used.